Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How do I pass headers (username and password) via Apache knox to my custom service?

avatar
New Contributor

I need to access username and password in my custom rest service which is passed via knox URL. Can anybody suggest changes needs to be done in rewrite.xml or service.xml?

1 ACCEPTED SOLUTION

avatar

In your rewrite.xml you can use a rewrite function to retrieve the current effective username. You can see an example of this in WebHDFS. {code} <rule dir="IN" name="WEBHDFS/webhdfs/inbound/namenode/home/file" pattern="*://*:*/**/webhdfs/{version}/~/{path=**}?{**}"> <rewrite template="{$serviceUrl[WEBHDFS]}/{version}/user/{$username}/{path=**}?{**}"/> </rule> {code}

However password is a different matter. There are several issues with this.

  1. Depending upon the authorization provider there may be no password.
  2. The general Knox model is to protect the password not to make it easy to access.

So from this perspective perhaps we need to understand your use case a bit better to determine if there is a different way to accomplish your goals. Without more information I'm guessing you actually need a trusted proxy model where your target service needs to trust that Knox has pre-authenticated the user and therefore only the username is required.

View solution in original post

6 REPLIES 6

avatar
Master Mentor

avatar

In your rewrite.xml you can use a rewrite function to retrieve the current effective username. You can see an example of this in WebHDFS. {code} <rule dir="IN" name="WEBHDFS/webhdfs/inbound/namenode/home/file" pattern="*://*:*/**/webhdfs/{version}/~/{path=**}?{**}"> <rewrite template="{$serviceUrl[WEBHDFS]}/{version}/user/{$username}/{path=**}?{**}"/> </rule> {code}

However password is a different matter. There are several issues with this.

  1. Depending upon the authorization provider there may be no password.
  2. The general Knox model is to protect the password not to make it easy to access.

So from this perspective perhaps we need to understand your use case a bit better to determine if there is a different way to accomplish your goals. Without more information I'm guessing you actually need a trusted proxy model where your target service needs to trust that Knox has pre-authenticated the user and therefore only the username is required.

avatar
Expert Contributor

I would also offer that this mechanism would limit the usecases in which your custom service can be used to authentication that is based on username/password.

There are a number of existing and upstream authentication/federation providers that do not involve providing a password to Knox. Your service will not work with KnoxSSO, HeaderPreAuth (SiteMinder, etc), OAuth, SAML, CAS, etc.

I would suggest that you bring your usecase to the dev@ list for Apache Knox and that we determine the best approach for services like the one you have in mind.

avatar
New Contributor

Thanks @Kevin Minder @Imccay for quick reply.

I just want username from Knox url , so that I can pass this username to my custom service in Ranger for authorization. I tried to make changes in rewrite.xml as suggested but couldn't succeed in getting username in header.I checked gateway-audit.log and found this statement.

dispatch|uri|http://{hostname}:{portno}/customService/insert?user.name=user_abc|success|Response status: 200

I could see user.name appended in above dispatch url. I could retrieve this username as a query parameter from my custom rest service. I did not make any changes for this. Is this the default behaviour of Knox , that it appends username in dispatch url?

avatar

By default Knox has special behavior for Hadoop services that use the Hadoop Auth module. https://hadoop.apache.org/docs/stable/hadoop-auth/...

So yes it adds the user.name query parameter by default. I'm curios as to why {$username} isn't working for you though. What version of Knox are you using?

avatar
Master Mentor

@Bhagyashree Kulkarni has this been resolved? Please accept best answer or provide your own solution.